Summary : 2 critical vulnerabilities affecting Splunk Enterprise and Splunk Universal Forwarder on Windows platforms were disclosed, both involving incorrect permission assignments during installation or upgrade. The vulnerabilities addressed may enable attackers to exploit issues such as privilege escalation, information disclosure, or remote code execution.

OEM	Cisco Splunk
Severity	High
CVSS Score	8.0
CVEs	CVE-2025-20386, CVE-2025-20387
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

This flaw allows non-administrative users local access to Splunk default installation directories, potentially exposing sensitive configuration and log files or enabling malicious manipulation. Immediate patching to fixed versions is strongly recommended to prevent local privilege escalation risk in affected environments. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Incorrect Permissions Assignment in Splunk Enterprise for Windows	CVE-2025-20386	Splunk Enterprise (Windows)	High	v10.0.2, v9.4.6, v9.3.8, v9.2.10 or latest version
Incorrect Permissions Assignment in Splunk Universal Forwarder for Windows	CVE-2025-20387	Splunk Universal Forwarder (Windows)	High	v10.0.2, v9.4.6, v9.3.8, v9.2.10 or latest version

Technical Summary 

The vulnerabilities arise from improper ACL configurations applied during new installations or upgrades of affected Splunk versions on Windows. Splunk installation directories – either C:\Program Files\Splunk or C:\Program Files\SplunkUniversalForwarder – are left with overly permissive access control.

This misconfiguration allows non-administrator users unintended access to these directories and their contents, which include sensitive configuration files, logs and executables.

While the flaw does not allow remote code execution, it significantly expands the local attack surface, potentially facilitating privilege escalation or unauthorized data access by users with limited privileges. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20386	Splunk Enterprise Windows versions prior to fixed versions	Incorrectly assigned folder permissions allow local low-privilege users access to installation directory and contents	Local privilege escalation, Information Disclosure
CVE-2025-20387	Splunk Universal Forwarder Windows versions prior to fixed versions	Incorrectly assigned folder permissions allow local low-privilege users access to  Universal Forwarder installation directory	Local privilege escalation, Information Disclosure

Remediation:  

Upgrade affected Splunk Enterprise and Universal Forwarder for Windows to one of these versions or newer:  

• v10.0.2,   v9.4.6,   v9.3.8,    v9.2.10 

If immediate upgrade is not feasible, apply the following mitigation steps as local administrator using Command Prompt or PowerShell after installation or upgrade:  

1. icacls.exe “<installation_directory>” /inheritance:d 

2. icacls.exe “<installation_directory>” /remove:g *BU /T /C 

3. icacls.exe “<installation_directory>” /remove:g *S-1-5-11 /T /C 

4. icacls.exe “<installation_directory>” /inheritance:e /T /C 

You can follow the recommendations below 

• Restrict access to installation directories vigilantly and audit permissions regularly. 

• Monitor system logs for unusual access patterns to Splunk installation paths. 

• Educate users on the risks of privilege escalation vulnerabilities. 

Conclusion: 
Splunk Enterprise and Universal Forwarder for Windows have high-severity permission flaws exposing directories to non-admin users during installs/upgrades.

Upgrade immediately to patched versions or apply mitigation commands to prevent local escalation and data exposure. Prioritize Windows Splunk patching with ongoing permission audits. 

References:  

• https://advisory.splunk.com//advisories/SVD-2025-1206 

• https://advisory.splunk.com//advisories/SVD-2025-1205 

• https://securityonline.info/high-severity-splunk-flaw-allows-local-privilege-escalation-via-incorrect-file-permissions-on-windows/